There is a serious security hole in the web interface for Aastra phones that allows anyone with access to the configuration pages to be able to see the sip credentials, including the SIP password, in the source code of the web pages.
For this reason, we very strongly urge the following steps be taken to secure the phone:
- Change the administrative password for phone access, The default password is widely know, and makes access to the web interface easy. It's also a best security practice.
- Keep ALL phones behind a NAT device at all times. Ensure that there are no web interfaces accessible at port 80 from your network to the internet.
- We have reported this issue to Aastra. Presently there is no timeline for a resolution.